feat(mcp): scaffold @posthog/mcp package (1/2)#3652
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
7 tasks
lucasheriques
changed the title
Contributor
Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
packages/mcp/src/version.ts:1
**`version.ts` committed but should be gitignored**
Every other package in this monorepo that uses the same `prebuild` pattern (`packages/node`, `packages/convex`, `packages/react-native`, `packages/web`) does **not** track the generated `version.ts` in git — confirmed via `git ls-files`. The `packages/mcp/` directory is missing a `.gitignore` that excludes `src/version.ts`. When changesets bumps the version in `package.json`, this committed file stays at `0.1.0` unless someone manually runs `pnpm build` first, meaning the `version` export could be published with a stale value. Add a `.gitignore` (containing at least `src/version.ts` and `dist/`) and remove the committed file from git tracking.
Reviews (1): Last reviewed commit: "feat(mcp): scaffold @posthog/mcp package" | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| @@ -0,0 +1 @@ | |||
| export const version = '0.1.0' | |||
Contributor
There was a problem hiding this comment.
version.ts committed but should be gitignored
Every other package in this monorepo that uses the same prebuild pattern (packages/node, packages/convex, packages/react-native, packages/web) does not track the generated version.ts in git — confirmed via git ls-files. The packages/mcp/ directory is missing a .gitignore that excludes src/version.ts. When changesets bumps the version in package.json, this committed file stays at 0.1.0 unless someone manually runs pnpm build first, meaning the version export could be published with a stale value. Add a .gitignore (containing at least src/version.ts and dist/) and remove the committed file from git tracking.
Prompt To Fix With AI
This is a comment left during a code review.
Path: packages/mcp/src/version.ts
Line: 1
Comment:
**`version.ts` committed but should be gitignored**
Every other package in this monorepo that uses the same `prebuild` pattern (`packages/node`, `packages/convex`, `packages/react-native`, `packages/web`) does **not** track the generated `version.ts` in git — confirmed via `git ls-files`. The `packages/mcp/` directory is missing a `.gitignore` that excludes `src/version.ts`. When changesets bumps the version in `package.json`, this committed file stays at `0.1.0` unless someone manually runs `pnpm build` first, meaning the `version` export could be published with a stale value. Add a `.gitignore` (containing at least `src/version.ts` and `dist/`) and remove the committed file from git tracking.
How can I resolve this? If you propose a fix, please make it concise.
Contributor
Author
There was a problem hiding this comment.
Fixed. Added packages/mcp/.gitignore (containing src/version.ts, dist/, coverage/) and git rm --cached-ed the committed src/version.ts. Pattern now matches posthog-node, posthog-react-native, and packages/web. prebuild regenerates it on every build.
Graphite Automations"sdk release label" took an action on this PR • (05/21/26)1 label was added to this PR based on Adam Bowker's automation. "Add graphite merge queue [copy]" took an action on this PR • (05/21/26)2 labels were added to this PR based on Lucas Faria's automation. |
Contributor
Contributor
|
Size Change: 0 B Total Size: 16.4 MB ℹ️ View Unchanged
|
Contributor
📝 No Changeset FoundThis PR doesn't include a changeset. A changeset is required to release a new version. How to add a changesetRun this command and follow the prompts: pnpm changesetRemember: Never use |
Contributor
|
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
Comment on lines
+14
to
+18
| "test:unit": "jest", | ||
| "prebuild": "node -p \"'export const version = \\'' + require('./package.json').version + '\\''\" > src/version.ts", | ||
| "build": "rslib build", | ||
| "dev": "rslib build -w", | ||
| "prepublishOnly": "pnpm lint && pnpm test:unit && pnpm build", |
There was a problem hiding this comment.
The test script will fail because it depends on src/version.ts which doesn't exist until prebuild runs. The prepublishOnly script runs test:unit before build, causing tests to fail during publish.
// src/index.ts imports from './version'
import { version } from './version'
// src/__tests__/scaffold.test.ts tests this import
import { version } from '../index'
// But src/version.ts is only created by prebuild script
// and prepublishOnly runs: test:unit THEN buildFix by either:
- Adding a
pretest:unitscript that generates version.ts - Reordering
prepublishOnlyto run build before tests - Creating a default version.ts file in the repo
Suggested change
| "test:unit": "jest", | |
| "prebuild": "node -p \"'export const version = \\'' + require('./package.json').version + '\\''\" > src/version.ts", | |
| "build": "rslib build", | |
| "dev": "rslib build -w", | |
| "prepublishOnly": "pnpm lint && pnpm test:unit && pnpm build", | |
| "test:unit": "jest", | |
| "prebuild": "node -p \"'export const version = \\'' + require('./package.json').version + '\\''\" > src/version.ts", | |
| "build": "rslib build", | |
| "dev": "rslib build -w", | |
| "prepublishOnly": "pnpm lint && pnpm build && pnpm test:unit", | |
Spotted by Graphite
Is this helpful? React 👍 or 👎 to let us know.
Contributor
Author
There was a problem hiding this comment.
fixed in af0ce7b. extracted the version generator into a reusable generate-version script and hooked it from both pretest:unit and prebuild. also reordered prepublishOnly so build runs before test:unit. confirmed pnpm --filter=@posthog/mcp test:unit now works against a fresh checkout.
lucasheriques
force-pushed
the
posthog-code/mcp-scaffold
branch
from
ad594d2 to
e9a0d99
Compare
![mendral-app[bot]](https://avatars.githubusercontent.com/in/1975249?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Supply Chain Security Review
⚠️ @modelcontextprotocol/sdk@1.24.3 — two HIGH advisories, fixes available
The resolved devDependency version (1.24.3) is affected by:
- GHSA-345p-7cg4-v4c7 (cross-client data leak) — fixed in 1.26.0
- GHSA-8r9q-7v3j-jr4g / CVE-2026-0621 (ReDoS) — fixed in 1.25.2
Since @modelcontextprotocol/sdk is a devDependency (used for type-checking/testing only) and the package is currently scaffolding-only, runtime risk is negligible today. However, the peerDependencies spec (>=1.11) will allow consumers to use vulnerable versions without warning once this package ships real functionality.
Recommend bumping both the devDependency and the peerDependency floor before the implementation PR lands.
Tag @mendral-app with feedback or questions. View session
| "devDependencies": { | ||
| "@babel/preset-env": "catalog:", | ||
| "@babel/preset-typescript": "catalog:", | ||
| "@modelcontextprotocol/sdk": "~1.24.2", |
Contributor
There was a problem hiding this comment.
security (P2): devDependency resolves to @modelcontextprotocol/sdk@1.24.3, which is affected by GHSA-345p-7cg4-v4c7 (data leak, fixed 1.26.0) and GHSA-8r9q-7v3j-jr4g (ReDoS, fixed 1.25.2). Bump to a patched range.
Suggested change
Suggested change
| "@modelcontextprotocol/sdk": "~1.24.2", | |
| "@modelcontextprotocol/sdk": "~1.26.0", |
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/mcp/package.json, line 44:
<issue>
devDependency resolves to @modelcontextprotocol/sdk@1.24.3, which is affected by GHSA-345p-7cg4-v4c7 (data leak, fixed 1.26.0) and GHSA-8r9q-7v3j-jr4g (ReDoS, fixed 1.25.2). Bump to a patched range.
</issue>
Contributor
Author
There was a problem hiding this comment.
fixed in af0ce7b. bumped @modelcontextprotocol/sdk devdep ~1.24.2 -> ~1.29.0. picks up the GHSA-345p-7cg4-v4c7 (1.26.0) and GHSA-8r9q-7v3j-jr4g (1.25.2) fixes.
Contributor
There was a problem hiding this comment.
@lucasheriques I couldn't find a Mendral account linked to your GitHub. Link your account →
| "zod": "^3.25.0" | ||
| }, | ||
| "peerDependencies": { | ||
| "@modelcontextprotocol/sdk": ">=1.11" |
Contributor
There was a problem hiding this comment.
security (P3): peerDependency floor >=1.11 permits consumers to use versions with known HIGH vulnerabilities. Consider raising the floor to the first fully-patched version once the SDK ships real functionality.
Suggested change
Suggested change
| "@modelcontextprotocol/sdk": ">=1.11" | |
| "@modelcontextprotocol/sdk": ">=1.26" |
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/mcp/package.json, line 53:
<issue>
peerDependency floor `>=1.11` permits consumers to use versions with known HIGH vulnerabilities. Consider raising the floor to the first fully-patched version once the SDK ships real functionality.
</issue>
Contributor
Author
There was a problem hiding this comment.
fixed in af0ce7b. raised the peer dep floor >=1.11 -> >=1.26.0 so consumers cannot resolve to a known-vulnerable host sdk.
Contributor
There was a problem hiding this comment.
@lucasheriques I couldn't find a Mendral account linked to your GitHub. Link your account →
First half of a two-PR stack that ports the previous standalone @posthog/mcp SDK into this monorepo. This PR is intentionally just the package skeleton: configs, monorepo wiring, a stub `src/index.ts`, and one placeholder test. The actual SDK implementation lands in the stacked follow-up PR. Splitting it this way so reviewers can approve the wiring (build, lint, tests, release matrix, eslint overrides) in isolation from the ~3k-line SDK port that follows. What this PR contains: - `packages/mcp/package.json` — npm name `@posthog/mcp`, `workspace:*` dep on `@posthog/core`, peer on `@modelcontextprotocol/sdk`. - `packages/mcp/tsconfig.json` + `tsconfig.build.json` extending the monorepo `@posthog-tooling/tsconfig-base`. - `packages/mcp/rslib.config.ts` — same dual ESM + CJS + .d.ts shape as posthog-node and @posthog/core. - `packages/mcp/jest.config.mjs` + `babel.config.mjs` matching posthog-node. - `packages/mcp/.prettierrc` (2-space, no-semi, single-quote, printWidth 120). - `packages/mcp/README.md` — install + usage stub. - `packages/mcp/src/version.ts` — generated by the `prebuild` script. - `packages/mcp/src/index.ts` — stub exporting `version` only. Replaced by the real SDK entry in the stacked follow-up PR. - `packages/mcp/src/__tests__/scaffold.test.ts` — single placeholder test so jest doesn't error on `no tests found`. Also removed in the follow-up PR. - `.eslintrc.cjs` — adds `packages/mcp/**` to the existing `no-console`/relaxed override block. - `.github/workflows/release.yml` — adds `@posthog/mcp` to the publish matrix. - `.changeset/posthog-mcp-initial.md` — describes the cumulative `@posthog/mcp 0.1.0` release. - `pnpm-lock.yaml` — lockfile update. Verification: - `pnpm --filter=@posthog/mcp build` — clean. - `pnpm --filter=@posthog/mcp test:unit` — 1 passing. - `pnpm --filter=@posthog/mcp lint` — clean. Generated-By: PostHog Code Task-Id: baa7e0cd-4946-4524-a05f-42c547a55f44
Every other monorepo package that uses the `prebuild` script pattern (posthog-node, posthog-react-native, packages/web) gitignores `src/version.ts` so the file is regenerated from `package.json` on every build. Without this, changesets bumps `package.json` but the committed `version.ts` stays stale until someone runs `pnpm build` and commits the result. Generated-By: PostHog Code Task-Id: baa7e0cd-4946-4524-a05f-42c547a55f44
The scaffold PR alone publishes a useless `@posthog/mcp 0.1.0` (just a stub `index.ts` exporting `version`). Keeping the changeset here means merging the scaffold ahead of the implementation PR fires the release workflow and pings Slack for approval. Move the changeset to the implementation PR so the release proposal only appears once the SDK is actually ready to ship. Generated-By: PostHog Code Task-Id: baa7e0cd-4946-4524-a05f-42c547a55f44
…script Per Greptile / graphite-app / mendral-app review on PR #3652: - Bump @modelcontextprotocol/sdk devDep ~1.24.2 -> ~1.29.0 to pick up the GHSA-345p-7cg4-v4c7 (data leak, 1.26.0) and GHSA-8r9q-7v3j-jr4g (ReDoS, 1.25.2) fixes. - Raise peerDependencies floor >=1.11 -> >=1.26.0 so consumers cannot resolve to a known-vulnerable host SDK. - Extract the src/version.ts generator into a reusable `generate-version` script and hook it from both `pretest:unit` and `prebuild`, so `pnpm --filter=@posthog/mcp test:unit` works standalone (Greptile flagged that test:unit failed against a fresh checkout because version.ts had not been generated yet). - Reorder prepublishOnly to build before test:unit for the same reason. Generated-By: PostHog Code Task-Id: baa7e0cd-4946-4524-a05f-42c547a55f44
lucasheriques
force-pushed
the
posthog-code/mcp-scaffold
branch
from
e9a0d99 to
af0ce7b
Compare
lucasheriques
added a commit
that referenced
this pull request
May 28, 2026
…script Per Greptile / graphite-app / mendral-app review on PR #3652: - Bump @modelcontextprotocol/sdk devDep ~1.24.2 -> ~1.29.0 to pick up the GHSA-345p-7cg4-v4c7 (data leak, 1.26.0) and GHSA-8r9q-7v3j-jr4g (ReDoS, 1.25.2) fixes. - Raise peerDependencies floor >=1.11 -> >=1.26.0 so consumers cannot resolve to a known-vulnerable host SDK. - Extract the src/version.ts generator into a reusable `generate-version` script and hook it from both `pretest:unit` and `prebuild`, so `pnpm --filter=@posthog/mcp test:unit` works standalone (Greptile flagged that test:unit failed against a fresh checkout because version.ts had not been generated yet). - Reorder prepublishOnly to build before test:unit for the same reason. Generated-By: PostHog Code Task-Id: baa7e0cd-4946-4524-a05f-42c547a55f44
benben
approved these changes
May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
First half of a two-PR stack porting the previous standalone
@posthog/mcpSDK into this monorepo. This PR is intentionally just the package skeleton — configs, monorepo wiring, a stubsrc/index.ts, and one placeholder test. The actual SDK implementation lands in the stacked follow-up: #3653.Splitting it this way so reviewers can approve the wiring (build, lint, tests, release matrix, eslint overrides) in isolation from the ~3k-line SDK port.
What this PR contains
packages/mcp/package.json— npm name@posthog/mcp,workspace:*dep on@posthog/core, peer on@modelcontextprotocol/sdk.packages/mcp/tsconfig.json+tsconfig.build.jsonextending the monorepo@posthog-tooling/tsconfig-base.packages/mcp/rslib.config.ts— same dual ESM + CJS +.d.tsshape asposthog-nodeand@posthog/core.packages/mcp/jest.config.mjs+babel.config.mjsmatchingposthog-node.packages/mcp/.prettierrc(2-space, no-semi, single-quote, printWidth 120).packages/mcp/README.md— install + usage stub.packages/mcp/src/version.ts— generated by theprebuildscript.packages/mcp/src/index.ts— stub exportingversiononly. Replaced by the real SDK entry in feat(mcp): implement @posthog/mcp SDK on top of @posthog/core (2/2) #3653.packages/mcp/src/__tests__/scaffold.test.ts— single placeholder test so jest doesn't error onno tests found. Removed in feat(mcp): implement @posthog/mcp SDK on top of @posthog/core (2/2) #3653..eslintrc.cjs— addspackages/mcp/**to the existing no-console/relaxed override block..github/workflows/release.yml— adds@posthog/mcpto the publish matrix..changeset/posthog-mcp-initial.md— describes the cumulative@posthog/mcp 0.1.0release.pnpm-lock.yaml— lockfile update.Test plan
pnpm --filter=@posthog/mcp build— clean.pnpm --filter=@posthog/mcp test:unit— 1 placeholder test passing.pnpm --filter=@posthog/mcp lint— clean.Stack
Created with PostHog Code